[SOLVED] Vaadin 24 resources to bypass Spring Security

Vaadin 24 resources to bypass Spring Security

For Vaadin 14, there is documentation which clearly states which Vaadin resources should be added to the config to bypass Spring Security: https://vaadin.com/docs/v14/flow/tutorial/login-and-authentication

  /**
   * Allows access to static resources, bypassing Spring Security.
   */
  @Override
  public void configure(WebSecurity web) {
    web.ignoring().antMatchers(
        // Client-side JS
        "/VAADIN/**",

        // the standard favicon URI
        "/favicon.ico",

        // the robots exclusion standard
        "/robots.txt",

        // web application manifest
        "/manifest.webmanifest",
        "/sw.js",
        "/offline.html",

        // icons and images
        "/icons/**",
        "/images/**",
        "/styles/**",

        // (development mode) H2 debugging console
        "/h2-console/**");
  }

I'm unable to find the same information for Vaadin 24.

This is my current config:

    @Override
    public void configure(WebSecurity web) throws Exception {
        super.configure(web);

        web.ignoring().requestMatchers(
              
                "/session-expired",
                "/images/*",
                "/login",
                "/favicon.ico",
                "/favicon-notification.ico",
                "/offline.html",
                "/offline-stub.html",
                "/sw-runtime-resources-precache.js",
                "/robots.txt");
    }

What else should be added for the proper functioning of Vaadin 24? Do I need to add anything else there, like for example:

"/VAADIN/**",
"/sw.js",

or something else?

Solution

You should wrap your paths in AntPathRequestMatcher objects. This is my working configuration for Vaadin 24 Flow:

/**
 * @see VaadinWebSecurity#configure(HttpSecurity)
 */
@Override
protected void configure(@NotNull final HttpSecurity http) throws Exception {
    http.authorizeHttpRequests().requestMatchers(
            // Client-side JS
            new AntPathRequestMatcher("/VAADIN/**"),

            // the standard favicon URI
            new AntPathRequestMatcher("/favicon.ico"),

            // the robots exclusion standard
            new AntPathRequestMatcher("/robots.txt"),

            // web application manifest
            new AntPathRequestMatcher("/manifest.webmanifest"),
            new AntPathRequestMatcher("/sw.js"),
            new AntPathRequestMatcher("/offline.html"),

            // icons and images
            new AntPathRequestMatcher("/icons/**"),
            new AntPathRequestMatcher("/images/**"),
            new AntPathRequestMatcher("/styles/**"),

            // (development mode) H2 debugging console
            new AntPathRequestMatcher("/h2-console/**")
    ).permitAll();

    super.configure(http);

    setLoginView(http, LoginView.class, LOGOUT_URL);
}